Like with any partnership, when looking for an ITAD provider, also known as an IT Asset Disposition provider, the decision shouldn’t be made lightly. Especially because disposing of IT assets properly is critical. While you may have many options for ITAD providers, keep in mind that not all are created equal. To find the right fit, here are eight things to look for in your ITAD provider.
#1: Compliance and Security
Data security and managing your risk are the most important reasons to partner with an ITAD company vs. trying to manage the process yourself. One instance of compromised data could be devastating for your company, which is why compliance and security are at the top of the list when it comes to things to look for in an ITAD provider. That includes:
This is not an area to be overlooked. Whether your assets will be destroyed, recycled, or refurbished, any existing data must be properly removed from the assets. Your provider should tell you how they handle the data and what that process looks like. In order to control the process and accurately report on the data sanitization, the provider must have a strong ERP system (which we’ll talk more about below). This sometimes takes place on-site, but if not, see if they:
- Allow facility inspections
- Allow you to witness data destruction
- Provide documented policies and processes
Also, be sure to ask for proof or certification of destruction. It will verify that the equipment has been scrubbed, recycled, and destroyed in a manner that satisfies the terms of your contract. Unfortunately, there isn’t a governing body that issues these certificates of destruction, so we advise you to work with an ITAD provider that has been certified by a respected third-party organization. We’ll talk more about the certifications below.
Note: if the provider identifies some of your equipment as eligible for refurbishment or remarketing, be sure that you get proof or a certificate that verifies the complete erasure or destruction of data on those assets.
As important as properly removing data from IT assets is, the facilities that the assets are stored or housed in must also be secure. Find out if your potential provider has things like:
- Controlled security access (badges, metal detectors, etc.)
- Annual certified facility audits
- Alarm systems
- 24/7 video surveillance and recordings of the facility or facilities
As an added layer of transparency, ask if they allow facility inspections or client audits. See for yourself what their facilities look like and how secure they are.
The facilities will only be as secure as the employees working in them. The best processes and security measures in the world won’t make a difference if employees can’t be trusted. If an employee has access to the facility or the equipment, they should have a background check. Beyond that, there needs to be policies to ensure compliance from employees and penalties for noncompliance.
Depending on what industry your business is in, you’ll want to make sure your ITAD provider has experience working in that industry and is compliant. The services they do for you should help your company be compliant as well. Examples include:
Healthcare: HIPAA, HITECH
Environmental: CERCLA, RCRA, SREA
Retail/Online: PCI DSS, COPPA
Financial: FACTA, GBLA, SOX, PCI DSS, FDIC
Data Security: NIST SP 800-88r1
Other: GDPR, CCPA, Basel Convention, EAR, ITAR, OSHA, DOT, and also state-by-state law
#2: Asset Reporting (ERP System)
Another important piece that should be a part of the ITAD providers process is effective and secure asset reporting or ERP system. Each item should be logged in an inventory, monitored, and tracked throughout the entire disposition process. The importance of an ERP system can’t be stressed enough. It prevents risk and mistakes from happening; it tracks everything to avoid things going astray.
Reporting should include things like:
- Hard drive serial number reporting
- Equipment serial number or asset tag reporting
- Details reporting of type, make, condition, defects and model
- Certificates of Data Erasure, Data Destruction, Recycling
- Final disposition of each piece of equipment: resold, recycled, etc.
You will depend on these system reports’ accuracy for any sort of audit trail you’ll need. An example of an ERP would be NetSuite, which is what we use here at Summit. Many providers just use Excel spreadsheets and think that’s good and accurate enough. It’s not. So much of that process is manual, which increases the chances for errors and issues. Don’t raise your risk and settle for spreadsheets. To help narrow down vendors, you’ll want to dig deeper and ensure these ITAD providers have a very strong ERP and remove those from the list with weaker ERPs.
#3: Sustainability Practices for ITAD Providers
E-waste continues to be a growing issue, with toxic waste material making up nearly 70% of landfills; you want to ensure you work with an ITAD provider who isn’t adding to the problem. Find out:
- Is environmental responsibility a priority for this provider?
- Is reuse/resale a priority over recycling and disposal?
- Do they have a no landfill policy?
- Who makes up their downstream partnerships, and will they compromise the vendor’s accountability? Will they add risk for you in their environmental practices? Do they have the same degree of environmental commitment?
- What is the component harvesting, recycling, and materials recovery process?
- Are they R2 certified?
More and more companies are starting to incorporate circular and carbon-reduction processes into their business models, including the IT asset lifecycle. Your ITAD vendor should work with you to help reduce waste, reclaim raw materials for remanufacturing, increase reuse levels, and incorporate considerations for a product’s entire life cycle. Extending the life of the equipment is better for the environment and for society.
Related Reading: Choosing an IT Vendor: 15 Must-Ask Questions
#4: Effective IT Asset Recovery
When it comes to ITAD, data security/risk mitigation and sustainable/Green IT practices should be the first two priorities, but value recovery is important for your IT budget. Especially if you’re trying to make a case for working with an ITAD provider in the first place, the amount you get back from recovered assets can help offset the fees from the vendor.
When selecting an ITAD provider, you want to ensure they’re going to work to get you the most value for your assets. They should have your best interest in mind. See if they can demonstrate a track record of returning value to their other customers. Experience in the industry can help with this, so be sure to find out how long they’ve been in business. The longer they’ve been in business, the more they likely have deep industry relationships and know what the value of your assets should be. Understand their distribution channels for used equipment — select the ITAD provider who (after covering all risks) has the best-optimized channels to maximize return.
But note, this is a secondary consideration. If they’re not adequately addressing your risks, then the value recovery is not important at all — the potential damage to your brand is so much greater than any value return you may ever see.
#5: IT Asset Removal
When it comes to actually removing the assets from your facility, you want the services and logistics to not only be secure, but convenient for you. Here are a few things to look for when it comes to the actual removal of the assets:
- Packing services
- Decommissioning services
- Professional on-site technicians
- Secure collection and transport
#6: Secure Transportation and Logistics
If an ITAD provider offers transport as part of their service, this is a very vulnerable step in the process. Equipment can fall off of open truck beds, or unlocked vehicles can be broken into and items stolen. What is their transportation and logistics process? How do they ensure that your assets aren’t compromised when going from point A to point B? Be sure to look for a vendor who has closed and secured transportation methods available.
#7: ITAD Provider Certifications
Check the credentials of an ITAD company to ensure that the vendor is knowledgeable and experienced in the industry and align with your goals, especially when it comes to data security and sustainability. Here are a few certifications to look for in an ITAD provider:
R2 (Responsible Recycling)
R2 certification is a facility level certification based on the R2 standard that is overseen by the R2 Technical Advisory Committee (TAC). This standard is described as “Responsible Recycling (“R2”) Practices for Use in Accredited Certification Programs for Electronics Recyclers.” It requires companies that are certified have a policy to manage used and end-of-life electronics equipment, components, and materials based on strategies such as reuse, materials, and energy recovery, and disposal.
RIOS™ is the recycling industry’s management system. Combining Quality, Environmental, and Health and Safety, RIOS™ (the Recycling Industry Operating Standard™) was designed for recyclers, by recyclers as an effective way to ensure compliance, improve health and safety across the facility, strengthen the quality of material being produced, and enhance environmental responsibility across all operations.
ISO standards are internationally agreed upon by experts. They’re meant to be thought of as formulas that describe the best way of doing something.
ISO 9001: sets out the criteria for a quality management system and is the only standard in the family that can be certified to (although this is not a requirement).
ISO 14001: sets out the criteria for an environmental management system and can be certified to. It maps out a framework that a company or organization can follow to set up an effective environmental management system.
ISO 45001: specifies requirements for an occupational health and safety (OH&S) management system, and gives guidance for its use, to enable organizations to provide safe and healthy workplaces by preventing work-related injury and ill health, as well as by proactively improving its OH&S performance.
NIST SP 800-88 Compliance
NIST Special Publication 800-88 or “Guidelines for Media Sanitization,” is a U.S. government document that provides systematic guidance for erasing data from electronic storage media. While this is not a certification, it is the standard for data sanitization that everyone needs to follow. Ask your ITAD provider for evidence they follow this standard.
#8: Customer Service and Support
Last but not least, find out what their customer service and support is like. What can you expect as far as lead and response times? Find out what their communication methods are like. These should be similar to methods that work well for you and your team. Ask how often they plan to communicate and what the relationship looks like after the assets have been removed. This is meant to be a partnership.
By looking carefully at these eight areas and getting a good understanding of the options available to you, you’ll find an ITAD provider and partner that:
- You can trust
- Eliminate your risks
- Will securely manage your data and assets
- Will get you the best value for those assets
- Has experience in the industry and dependable processes
- Practices sustainable ITAD
- Make the process easy and convenient for your company
Are you ready to explore partnering with an ITAD provider?